Cuckoo Sandbox Book Release 2.0.7
Total Page:16
File Type:pdf, Size:1020Kb
Cuckoo Sandbox Book Release 2.0.7 Cuckoo Sandbox Jun 27, 2020 Contents 1 Using the new Cuckoo Package?3 2 Having troubles? 5 2.1 FAQ....................................................5 3 Contents 15 3.1 Introduction............................................... 15 3.2 Installation................................................ 21 3.3 Usage................................................... 63 3.4 Customization.............................................. 109 3.5 Development............................................... 126 3.6 Final Remarks.............................................. 133 Index 137 i ii Cuckoo Sandbox Book, Release 2.0.7 Cuckoo Sandbox is an open source software for automating analysis of suspicious files. To do so it makes use of custom components that monitor the behavior of the malicious processes while running in an isolated environment. This guide will explain how to set up Cuckoo, use it, and customize it. Contents 1 Cuckoo Sandbox Book, Release 2.0.7 2 Contents CHAPTER 1 Using the new Cuckoo Package? There are various big improvements related to usability in the newly released Cuckoo Package. To get the most out of it, start reading on the different subjects related to it. Following are some of the highlights: • Cuckoo Working Directory • Cuckoo Working Directory Usage • Installing Cuckoo • Upgrading from a previous release • Cuckoo Feedback 3 Cuckoo Sandbox Book, Release 2.0.7 4 Chapter 1. Using the new Cuckoo Package? CHAPTER 2 Having troubles? If you’re having troubles you might want to check out the FAQ as it may already have the answers to your questions. 2.1 FAQ Here you can find answers for various Frequently Asked Questions: • General Questions – Can I analyze URLs with Cuckoo? – Can I use Volatility with Cuckoo? – What do I need to use Cuckoo with VMware ESXi? • Troubleshooting – After upgrade Cuckoo stops to work – Cuckoo stumbles and produces some error I don’t understand – Check and restore current snapshot with KVM – Check and restore current snapshot with VirtualBox – Unable to bind result server error – Error during template rendering – 501 Unsupported Method (‘GET’) – Permission denied for tcpdump – DistributionNotFound / No distribution matching the version.. – IOError: [Errno 24] Too many open files 5 Cuckoo Sandbox Book, Release 2.0.7 – pkg_resources.ContextualVersionConflict – ValueError: incomplete format key – Troubleshooting VM network configuration – Cuckoo says there’s a version 2.1.0? – No handlers could be found for logger X in UWSGI log 2.1.1 General Questions Can I analyze URLs with Cuckoo? New in version 0.5: Native support for URL analysis was added to Cuckoo. Changed in version 2.0-rc1: Cuckoo will not only start the browser (i.e., Internet Explorer) but will also attempt to actively instrument it in order to extract interesting results such as executed Javascript, iframe URLs, etc. See also our 2.0-rc1 blogpost. Additional details on URL submissions is documented at Submit an Analysis, but it boils down to: $ cuckoo submit --url http://www.example.com Can I use Volatility with Cuckoo? New in version 0.5: Cuckoo introduces support for optional full memory dumps, which are created at the end of the analysis process. You can use these memory dumps to perform additional memory forensic analysis with Volatility. Please also consider that we don’t particularly encourage this: since Cuckoo employs some rootkit-like technologies to perform its operations, the results of a forensic analysis would be polluted by the sandbox’s components. What do I need to use Cuckoo with VMware ESXi? To run with VMware vSphere Hypervisor (or ESXi) Cuckoo leverages on libvirt or pyVmomi (the Python SDK for the VMware vSphere API). VMware API are used to take control over virtual machines, though these APIs are available only in the licensed version. In VMware vSphere free edition these APIs are read only, so you will be unable to use it with Cuckoo. For the minimum license needed, please have a look at VMware website. 2.1.2 Troubleshooting After upgrade Cuckoo stops to work Probably you upgraded it in a wrong way. It’s not a good practice to rewrite the files due to Cuckoo’s complexity and quick evolution. Please follow the upgrade steps described in Upgrading from a previous release. Cuckoo stumbles and produces some error I don’t understand Cuckoo is a mature but always evolving project, it’s possible that you encounter some problems while running it, but before you rush into sending emails to everyone make sure you read what follows. 6 Chapter 2. Having troubles? Cuckoo Sandbox Book, Release 2.0.7 Cuckoo is not meant to be a point-and-click tool: it’s designed to be a highly customizable and configurable solution for somewhat experienced users and malware analysts. It requires you to have a decent understanding of your operating systems, Python, the concepts behind virtualization and sandboxing. We try to make it as easy to use as possible, but you have to keep in mind that it’s not a technology meant to be accessible to just anyone. That being said, if a problem occurs you have to make sure that you did everything you could before asking for time and effort from our developers and users. We just can’t help everyone, we have limited time and it has to be dedicated to the development and fixing of actual bugs. • We have extensive documentation, read it carefully. You can’t just skip parts of it. • We have a Discussion page where you can find discussion platforms on which we’re frequently helping our users. • We have lot of users producing content on Internet, Google it. • Spend some of your own time trying fixing the issues before asking ours, you might even get to learn and understand Cuckoo better. Long story short: use the existing resources, put some efforts into it and don’t abuse people. If you still can’t figure out your problem, you can ask help on our online communities (see Final Remarks). Make sure when you ask for help to: • Use a clear and explicit title for your emails: “I have a problem”, “Help me” or “Cuckoo error” are NOT good titles. • Explain in details what you’re experiencing. Try to reproduce several times your issue and write down all steps to achieve that. • Use no-paste services and link your logs, configuration files and details on your setup. • Eventually provide a copy of the analysis that generated the problem. Check and restore current snapshot with KVM If something goes wrong with virtual machine it’s best practice to check current snapshot status. You can do that with the following: $ virsh snapshot-current "<Name of VM>" If you got a long XML as output your current snapshot is configured and you can skip the rest of this chapter; anyway if you got an error like the following your current snapshot is broken: $ virsh snapshot-current "<Name of VM>" error: domain '<Name of VM>' has no current snapshot To fix and create a current snapshot first list all machine’s snapshots: $ virsh snapshot-list "<Name of VM>" Name Creation Time State ------------------------------------------------------------ 1339506531 2012-06-12 15:08:51 +0200 running Choose one snapshot name and set it as current: $ snapshot-current "<Name of VM>" --snapshotname 1339506531 Snapshot 1339506531 set as current 2.1. FAQ 7 Cuckoo Sandbox Book, Release 2.0.7 Now the virtual machine state is fixed. Check and restore current snapshot with VirtualBox If something goes wrong with virtual it’s best practice to check the virtual machine status and the current snapshot. First of all check the virtual machine status with the following: $ VBoxManage showvminfo "<Name of VM>" | grep State State: powered off (since 2012-06-27T22:03:57.000000000) If the state is “powered off” you can go ahead with the next check, if the state is “aborted” or something else you have to restore it to “powered off” before: $ VBoxManage controlvm "<Name of VM>" poweroff With the following check the current snapshots state: $ VBoxManage snapshot "<Name of VM>" list --details Name: s1 (UUID: 90828a77-72f4-4a5e-b9d3-bb1fdd4cef5f) Name: s2 (UUID: 97838e37-9ca4-4194-a041-5e9a40d6c205) * If you have a snapshot marked with a star “*” your snapshot is ready, anyway you have to restore the current snapshot: $ VBoxManage snapshot "<Name of VM>" restorecurrent Unable to bind result server error At Cuckoo startup if you get an error message like this one: 2014-01-07 18:42:12,686 [root] CRITICAL: CuckooCriticalError: Unable to bind result ,!server on 192.168.56.1:2042: [Errno 99] Cannot assign requested address It means that Cuckoo is unable to start the result server on the IP address written in cuckoo.conf (or in machinery.conf if you are using the resultserver_ip option inside). This usually happen when you start Cuckoo without bringing up the virtual interface associated with the result server IP address. You can bring it up manually, it depends from one virtualization software to another, but if you don’t know how to do, a good trick is to manually start and stop an analysis virtual machine, this will bring virtual networking up. In the case of VirtualBox the hostonly interface vboxnet0 can be created as follows: # If the hostonly interface vboxnet0 does not exist already. $ VBoxManage hostonlyif create # Configure vboxnet0. $ VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0 Error during template rendering Changed in version 2.0-rc1. In our 2.0-rc1 release a bug was introduced that looks as follows in the screenshot below. In order to resolve this issue in your local setup, please open the web/analysis/urls.py file and modify the 21st line by adding an underscore as follows: 8 Chapter 2. Having troubles? Cuckoo Sandbox Book, Release 2.0.7 -"/(?P<ip>[\d\.]+)?/(?P<host>[a-zA-Z0-9-\.]+)?" +"/(?P<ip>[\d\.]+)?/(?P<host>[ a-zA-Z0-9-_\.]+)?" The official fixes for this issue can be found in the following commits.